Ransomware : Your Worst IT Catastrophe
Ransomware has become a too-frequent cyber pandemic that poses an existential danger for businesses unprepared for an assault. Versions of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and still inflict destruction. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti and Egregor, along with frequent as yet unnamed malware, not only encrypt on-line files but also infect most available system protection. Files synched to cloud environments can also be encrypted. In a poorly designed data protection solution, this can make any recovery useless and effectively knocks the entire system back to zero.
Getting back online applications and information after a ransomware event becomes a sprint against time as the targeted business fights to stop lateral movement and clear the crypto-ransomware and to restore mission-critical operations. Due to the fact that ransomware needs time to move laterally, penetrations are often launched on weekends and holidays, when successful penetrations in many cases take longer to discover. This multiplies the difficulty of quickly mobilizing and organizing an experienced mitigation team.
Progent provides a variety of support services for securing Pasadena enterprises from ransomware events. These include user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for endpoint detection and response (EDR) utilizing SentinelOne's AI-based cyberthreat defense to discover and suppress day-zero modern malware attacks. Progent also provides the services of expert ransomware recovery consultants with the talent and perseverance to reconstruct a breached environment as quickly as possible.
Progent's Ransomware Restoration Help
After a ransomware event, paying the ransom in cryptocurrency does not guarantee that cyber hackers will return the codes to unencrypt any or all of your files. Kaspersky determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000 for smaller businesses. The alternative is to piece back together the mission-critical elements of your IT environment. Absent access to complete data backups, this requires a broad range of IT skills, top notch team management, and the capability to work 24x7 until the recovery project is complete.
For two decades, Progent has offered professional Information Technology services for companies across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience gives Progent the capability to efficiently understand critical systems and organize the surviving components of your Information Technology environment after a ransomware penetration and rebuild them into an operational system.
Progent's security team has best of breed project management tools to coordinate the complex restoration process. Progent knows the importance of acting swiftly and in unison with a client's management and IT staff to assign priority to tasks and to get the most important applications back on line as soon as humanly possible.
Case Study: A Successful Crypto-Ransomware Attack Restoration
A customer sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored cybercriminals, suspected of using technology leaked from America's NSA organization. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is among the most profitable iterations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago with around 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for good luck, but in the end reached out to Progent.
"I can't speak enough in regards to the support Progent provided us during the most stressful time of (our) company's survival. We may have had to pay the hackers behind this attack if not for the confidence the Progent team provided us. The fact that you were able to get our messaging and critical servers back into operation faster than one week was earth shattering. Every single expert I got help from or e-mailed at Progent was laser focused on getting our company operational and was working at all hours to bail us out."
Progent worked together with the client to quickly identify and prioritize the critical applications that had to be recovered to make it possible to resume business operations:
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by isolating and performing virus removal steps. Progent then started the work of restoring Windows Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not operate without AD, and the businesses' financials and MRP applications used SQL Server, which depends on Active Directory for security authorization to the data.
- Active Directory
In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of the most important servers. All Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on team PCs in order to recover mail information. A not too old off-line backup of the customer's financials/ERP systems made it possible to return these essential applications back on-line. Although major work remained to recover totally from the Ryuk event, critical systems were recovered rapidly:
"For the most part, the production operation never missed a beat and we made all customer orders."
During the next couple of weeks important milestones in the recovery process were achieved in close collaboration between Progent engineers and the customer:
- Self-hosted web applications were returned to operation with no loss of information.
- The MailStore Exchange Server exceeding 4 million historical emails was brought on-line and accessible to users.
- CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were completely functional.
- A new Palo Alto Networks 850 firewall was brought on-line.
- Nearly all of the user desktops were being used by staff.
"A lot of what was accomplished in the early hours is mostly a haze for me, but my team will not forget the countless hours all of you accomplished to help get our business back. I've been working together with Progent for the past ten years, maybe more, and every time Progent has shined and delivered as promised. This event was a Herculean accomplishment."
A potential business-ending disaster was evaded with top-tier professionals, a wide spectrum of IT skills, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware virus incident described here should have been blocked with up-to-date cyber security technology and security best practices, team training, and well designed incident response procedures for backup and proper patching controls, the fact is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, remediation, and file disaster recovery.
"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for allowing me to get some sleep after we made it past the initial fire. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"
Download the Crypto-Ransomware Recovery Case Study Datasheet
To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)
Contact Progent for Ransomware System Recovery Services in Pasadena
For ransomware system restoration expertise in the Pasadena area, phone Progent at 800-462-8800 or see Contact Progent.